Stricter European Privacy Rules: Think Twice Before Marketing Health Care Goods and Services Across the Atlantic

The GDPR will enter into force in May 2018, replacing the EU Data Protection Directive 95/46/EC. The GDPR is significantly more onerous than the Directive, seeking to enhance data privacy protections for Europeans. US health care organizations processing Europeans’ personal data should start preparing now for compliance.

US health care companies who may come into contact with personal data belonging to EU data subjects should carefully consider whether they will be subject to the GDPR. Unlike the Directive, the GDPR will also apply to organizations outside the EU where the organizations’ personal data processing activities relate to goods and services offered to individuals in the EU or to the monitoring of such individuals’ behavior. This will mean that US health care companies marketing health care goods and services to European residents may be subject to the GDPR.  

Arent Fox recently published an alert explaining what businesses need to know about the GDPR. And on March 14, 2016, the UK Information Commissioner’s Office issued useful guidance on steps organizations can take to prepare for the GDPR. These resources can help all companies – including health care companies – in determining what level of exposure they have under the GDPR and what measures they should take for compliance.